MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » July 2014

Expired password change anomaly



fixed

I've noticed something I can't explain.

Given an account with an expired password:

If I sign on to a terminal session, and refuse to change the password, it doesn't let me in, but neither does it increment the "Password verifications not valid" counter.

On the other hand, we have a client-server product that recognizes expired passwords, enforces the expiration, and uses QSYCHGPW to allow the user to change the expired password through the client server connection.

At no time in its life-cycle does any server job use a profile handle to do a "user swap"; rather, a profile handle is obtained strictly to verify the password, and then a child-server job is submitted under the user's profile, and the socket is transferred to the child-server job.

It seems that when an expired password is processed through the product, IF ONE CANCELS THE SIGN-ON INSTEAD OF SETTING A NEW PASSWORD, the "Password verifications not valid" counter increments. But it doesn't increment immediately, but rather, it increments WHEN THE SOCKET IS CLOSED, AND THE JOB CURRENTLY HOLDING THE SOCKET (WHICH OBTAINED THE PROFILE HANDLE) EXPIRES.

I can't make head or tail of this behavior. It certainly doesn't appear to be trying to obtain any profile handles with bad passwords.

--
JHHL





Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact